On 8/19/14, Paul Hoffman <[email protected]> wrote: > On Aug 19, 2014, at 11:51 AM, Jacob Appelbaum <[email protected]> wrote: > >>> Sure, let's be explicit. Proposed addition to the policy section: >>> >>> If a recursive resolver does not respond on port 443 or set up a TLS >>> session, the stub resolver MAY use the normal DNS protocol on port 53. >>> >> >> I'm not a fan of making it possible for an attacker to downgrade with >> a single (non-cryptographically protected) TCP RST packet. If I >> configure a resolver and declare it to be secure (and use it as such), >> why not fail closed? > > Because then hosts that use stub resolvers will not be able to use the DNS > at all.
That is correct and that is exactly what I expect when my network is attacking me. Rather than leaking that I'm being visited an ad name that implies I've visited a gay dating site, I want it to fail closed. If I declare it as secure, I want it to remain secure - where the security here is all about *confidentiality* and DNSSEC does the rest with regard to integrity, etc. > >> Why not detect that as an attack or as outright >> network censorship? > > We could add such detection, but only if the value outweighs the complexity > and possible failure modes. If the TLS connection fails to complete (authenicated or not), it should be as simple as returning something like E_CENSORSHIP_DETECTED. An error like "Unable to connect securely to resolver, please contact your ISP" would be fine. Most OSes don't do anything remotely helpful when DNS fails. It might be nice if that failure mode was privacy preserving... > >> This seems to fail if there is an active attacker that blocks TLS >> traffic - is there a way for the resolver to somehow learn in-band on >> port 53 that this attack is happening? > > Probably, but you still haven't said what value there is in knowing that. A > stub resolver has no log and no way of alerting anyone that it discovered > something important. If my resolver allows upgrading to a secure method of communication, I'd like to know. Furthermore, I'd like to automatically upgrade to that secure communications path if it was available. An OS could probe for a specific record type - similar to say, version.txt. e.g.: nslookup -q=txt -class=CHAOS query.privacy.bind. It could even learn the likely fingerprint of the server ala DANE, for example. > > Let me know if I'm missing something obvious. Hope that helps. All the best, Jacob _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
